Guide to Intrusion Detection and Prevention Systems - Literature review Example

Guide to Intrusion Detection and Prevention Systems In the current speedy and constantly advancing technological world, the adoption of high quality intrusion detection and prevention systems (IDPS) has always been a subject of great concern. Network engineers, computer science professionals and other information security stakeholders are fighting tooth and nail to ascertain that they adopt the best set of tools for the implementation of secure mechanisms for the detection and prevention of intrusion in to an organization’s computer system or network. To be precise, the current ever-advancing hacking techniques have resulted into very high vulnerability risks in most computer networks. This has consequently resulted into most network security stakeholders doing all their best to ascertain that there is maximal security against any unauthorized acts of intrusion. On this regard, this paper aims at delivering a high quality analytical report on the different types of intrusion detection, prevention systems via an account of the article, Guide to intrusion detection and Prevention Systems (Scarfone & Mell, 2007). In simple terms, an intrusion detection and prevention system entails a well-designed and configured set of tools used to monitor all the inbound and outbound network activity. This is to facilitate identification and prevention of any suspicious patterns of unauthorized access to an organization’s computer network. That is, the IDPS performs monitoring of the organization network traffic, identifies the potential network threats and responds to them in a manner that maintains a highly secure network environment in an organization. In essence, IDPSs focus on ensuring that, only the authorized users and devices have access to the computer network resources (Scarfone & Mell, 2007). It is important to clarify that there are several types of intrusion detection and prevention systems currently in use in most organizations. The target of these products is to protect organization from the ever-advancing hacking techniques that create immense threats to the integrity and safety of most organization data and trade secrets. Upon a thorough analysis of each of the sections in the article, the following different types of IDPS data was gathered (Rash & Henmi, 2005). Intrusion detection and prevention principles The need to protect computer network resources is always very important in promoting successful protection of organization data from unauthorized access. To be specific, the intrusion detection system on its own is of great importance particularly in monitoring the events that take place in a certain computer network and then analyze them to determine any signs of imminent threats. On the other hand, the intrusion prevention system ensures that the main activities of an IDS are satisfied. Alongside this, the IPS provides a well-configured set of software components, which aid in stopping any possible threat to the security of a computer system. In essence, the IDPS provides an integrated set of functions, which are based on the two technologies (Northcutt & Novak, 2002). IDPSs offer a wide set of uses to the targeted users. The primary purpose is to identify any possible threat to the security of a computer system or network. It can also be configured to recognize any violations of the security policies of an organization’s computer system. In addition, the IDPS facilitates monitoring of all the file transfers to spot any suspicious data. In general, an IDPS plays a huge role in facilitating identification of all computer system incidents along with modules for the implementation of response efforts (Scarfone & Mell, 2007). It is essential to outline that among the other applications of the IDPS is identification of problems in the information security policy of an organization. This by provision of a mechanism that controls the quality of the security policy, which includes issues related to duplication of the rules of a firewall in the event of a network traffic (Scarfone & Mell, 2007). Documentation of the existing threats to an organization is also one of the key functions of an IDPS. In essence, the IDPS provides log information related to the threats that the systems detect. This information is of great importance in ascertaining that there is a well-organized approach towards stopping any of the possible threats. The IDPS is also responsible for deterring individuals from violating the security policies of an organization. That is, it plays a very important role in ascertaining that all the company stakeholders are held accountable to all their respective day-to-day activities of using the organization’s computer system (Rash & Henmi, 2005). Main functions of the IDPS The security of any organization’s computer system and information resources has always been of great necessity in the operations of an organization. The IDPS provides a significant set of functional features necessary in delivering high quality security in an organization. That is, almost all the IDPSs offer the following set functional features. One of the top functions is to record the observable events of different information flowing through a computer network or system. This data is continually recorded and then sent to a well-configured set of devices such as logging servers (Ghorbani, Lu & Tavallaee, 2010). Secondly, the IDPS offers the function of notifying (alerting) the information security personnel on the set of observed events within a particular computer system or network. This function of alerting users is implemented using features such e-mails, messages on the IDPS user interface and syslog messages. It is important to clarify that the notification message is usually made up of only the basic data related to an event along with the administrators authorized to view it. The IDPS also produces summarized reports on all the monitored events, which presents the users with a bird’s eye view of all the spotted threats (Rehman, 2003). Fourth and to be specific an Intrusion Prevention System (IPS) aids an organization’s computer system by stopping an attack. This function is executed in a number of ways, which can be in form of termination of a network connection or blocking access to the targeted Internet Protocol (I.P) address or host. The fifth function of an IDPS is using the IPS module to change the security environment of an organization’s computer network or system. This is executed through reconfiguration of a security platform to take control of any potential threat. Lastly but certainly not the least, an IPS can add a key function where it changes the content of an attacker. This is usually executed through the removal or replacement of the malicious content of within a particular attack. In general, all these features are of great significance in enhancing the security of a particular computer system (Scarfone & Mell, 2007). Common detection methodologies The success of most Intrusion Detection and Prevention Systems is facilitated by the use of a number of quality detection methodologies. In most of IDPS, multiple detection methodologies are usually integrated into one coherent component. This is to provide a wide and most accurate detection platform. There are three main classes of the most common detection methodologies, which include stateful protocol analysis, anomaly based and signature based detection (Scarfone & Mell, 2007). In signature-based detection, a well-designed pattern that corresponds to a known threat is put into practice. To be precise, signature based detection entails a process of comparing different signatures against an observed set of events, which act as the basis to identifying possible threats. Signature based detection is the simplest detection approach mainly because it just performs comparison of the current set of activities. This includes comparing the current log entry to the predefined list of signatures. It is essential to stipulate that the signature-based detection is usually effective in only the detection of threats that are known. However, the approach is ineffective when applied in the detection of unknown threats. The second common methodology is the application of anomaly-based detection. It engrosses a process of comparing the definitions of the set of activities that are considered to be normal against the observable events to aid in spotting out any significant deviations. This approach maintains profiles of all the expected normal behaviors in a particular computer system. Through the application of statistical methods, the IDPS performs comparison of the network traffic to reveal any potential threat. The main advantage of using this method is that it provides a quality mechanism for the detection of threats that were unknown in previous event logs (Scarfone & Mell, 2007). Thirdly, stateful protocol analysis engrosses a well-designed process of comparing a set of predefined normal profiles against an ongoing number of computer system events to aid in the identification of any deviations. To be precise, this approach does use network specific protocols, instead it depends on a well-developed group of universal profiles, which outline how particular protocols should or should not be put into use. It also makes use of different protocol models that are usually based on universally recognized standards such as Request for Comments (RFC). This makes the stateful protocol analysis a high quality detection methodology in that it provides an excellent platform for successful implementation of maximal system or network security (Di & Mancini, 2008). The use of stateful protocol analysis is associated with a considerable number of drawbacks. Firstly, due to the complexity of the required analysis procedures and state tracking overhead, it makes the method highly intensive in the use of resources. That is, it requires a lot of resources for its implementation. The second drawback is that the approach cannot detect any attack that does not violate the predefined group of acceptable protocol characteristics. This brings some significant vulnerabilities into an organization particularly when a hacker has background knowledge of the acceptable protocol behavior in the computer system. It also has some problems particularly in terms of compatibility to the ever-advancing sets of universal protocol standards. Types of IDPS technologies It is vital to outline that, there is a wide number of IDPS technologies currently in use in most network security centres. In most cases, these technologies are grouped into four main groups, which are differentiated by the types of events being monitored and the deployment ways. The technology can be either network based, wireless, network behavior analysis or host based. Network Based IDPS The network based types of IDPS technology involves monitoring of the network traffic of a particular set of network segments to spot out any suspicious event or activity. This technology is usually deployed at a boundary, which is between networks. It includes areas such as the proximity to the border of routers and virtual private networks. In essence, the Network Based IDPS focuses on monitoring the network traffic for a specific set of network segment and devices. Here, it performs a thorough analysis of the network layer, transport layer along with the application protocols to aid in determining any potential security threats (Cisco security professionals guide to secure intrusion detection systems, 2003). It is essential to outline that the network based IDPS is made up of a well organized set of components, which act as the basis of all its day-to-day operations. In simple terms, a typical network based IDPS is composed of the following components. Firstly, it is a set of sensors followed by one or even more management servers and a well-configured group of multiple consoles. In addition, this methodology can also be optionally integrated into a database server to facilitate storage of crucial network or system resources. On the other hand, the software only is usually comprised of an installable software package, which can be customized into an operating system to promote secure flow of data in and out of a computer system (Scarfone & Mell, 2007). There are two main formats of sensors used in the implementation of network based IDPS technology. These are the appliance based sensors and the Software only sensors. The appliance based sensors is comprises of a specialized hardware tool with an integrated software module. These two are further integrated into a specialized Network Interface Card, which facilitates efficient capturing of all packets that move through a particular computer network. It is crucial to make it clear that positioning of hosts is always a subject of great concern in the enhancement of network security. This can either be performed in either an inline or passive format. In the inline format, the sensor is deployed in a manner where the network traffic that is monitoring has to pass through it just like it happens in a computer firewall. This format works best particularly in the blocking of any potential threats as soon as they appear in a network traffic. In the passive sensor, no traffic actually passes through it. Instead, the sensor has to monitor a copy of the actual network. Passive sensors work best in monitoring specific key areas of a particular computer network system. These perform monitoring of traffic through key methods such as network tap, spanning port and an IDS load balancer (Scarfone & Mell, 2007). The network based IDPS has a significant number of security capabilities. These include a wide platform for gathering of information related to the hosts and their respective network activities. This information is very essential in facilitating easy analysis of any network vulnerabilities. It also has diversified logging capabilities, which are also very important in the confirmation of the validity of alerts and in investigation of incidents. The technology also provides extensive and quality detection technologies. Lastly but clearly not the least is that the technology offers high quality prevention capabilities, which is through the integration of inline and passive sensors (Scarfone & Mell, 2007). Regardless of all the merits behind the network based IDPS technology, there are some significant limitations in it. The first one is that the technology cannot be applied in the detection of attacks that revolve around an encrypted network. Secondly, the technology usually performs poorly particularly when placed under high loads of network data or traffic. This causes some incidents to go undetected thus rendering a system highly insecure. The network based IDPS are also very susceptible to attacks that are directly aimed on it. These include the Distributed Denial of Service, which can cause immense alteration of crucial customer data (Whitman & Mattord, 2012). Wireless IDPS For the wireless IDPS, it engrosses monitoring and analysis of the wireless network traffic and protocols to identify any potential threats. This monitoring process is always involving the protocols themselves. Thus, the wireless IDPS technologies are not able to identify any potential threats that arise in the application layer or in the higher layer of a network protocol such as TCP. This technology is in most cases deployed within the predefined wireless network range of a particular organization. However, it can also be extended to areas where there are some unauthorized wireless accesses to a computer system (Scarfone & Mell, 2007). The wireless IDPS is made up of the same set of components as to that of a Network Based IDPS. These components are the consoles, management servers, sensors and an optionally integrated database server. With an exception of the sensors, all the other components have the same set of functional operational attributes. The wireless sensors operate at a more complex environment mainly because of the interference challenges of a wireless network. The wireless IDPS has to perform a well organized sampling of all the network traffic. This is to ascertain that all data passing through the wireless network is perfectly scanned of any possible security threats. It is crucial to stipulate that the wireless sensors in this IDPS technology are available in three common types. The first one is the dedicated wireless sensor. This is a device that provides all the main wireless IDPS functions. The main difference in the dedicated wireless sensor is that it does not transmit the wireless network traffic from the source to the destination. Instead, it works in a completely passive way where it works on the key areas of a particular wireless network configuration. These sensor types are mainly designed for two types of deployment approaches namely fixed and mobile. In the fixed deployment, a sensor is placed a specific location while in mobile the sensor stays in motion (Ciampa, 2008). The second type of wireless sensors is the one bundled with an Access Point (AP). In this model, the IDPS capabilities are integrated into the AP to ascertain that all the wireless network traffic is protected from any unauthorized access. Thirdly, it is the one bundled with a switch. That is, the IDPS is integrated into the wireless switch to aid the network administrators in managing and monitoring the traffic in a wireless network. The use of these devices is always of great significance particularly in ensuring that an organization has a highly secured wireless network. The wireless IDPS technology offers a diversified set of operational capabilities, which include high quality information gathering capabilities. This is information related to identifying WLAN (Wireless Local Area Networks) devices and also identifying the specific WLANs. It also offers extensive logging data related to all the events that have been detected. This information is very crucial in the confirmation of issues such as the validity of alerts. It also offers high quality detection capabilities. Furthermore, the technology provides a very high quality prevention capability, which blocks any unauthorized access to the organization’s computer system and resources (Scarfone & Mell, 2007). Despite of all the benefits, there are still several limitations associated with the adoption of Wireless IDPS technologies. The top limitation is the inability to detect a specific set of wireless protocol attacks. This usually happens in situations where weak security methods such as Wireless Encryption Protocol (WEP) are put into use. Another major limitation is that the technology is susceptible to several evasion techniques such as fingerprinting. This results into many cases of unauthorized access to the organization’s computer resources. The technology also has the limitation of being susceptible to attacks such as denial of service (Scarfone & Mell, 2007). Network Behavior Analysis The third type IDPS technology is the Network Behavior Analysis (NBA). This methodology entails performing a thorough examination of the network traffic to reveal any threats that produce unusual flow of traffic. These can be events resulting from issues such as the distributed denial of service (DDoS) attacks and violation of the current information and network security policies. The NBA technology is usually applied in monitoring of the flow of network traffic within an internal and external network segment of an organization. This makes the network Behavior Analysis technology one of the best in enhancing delivering highly secure flow of information in an organization (Scarfone & Mell, 2007). The NBA solution is composed of a number of common components of an IDPS. The components are a set of consoles and sensors. In some of the NBA products, other services such as management servers are integrated. These servers are basically known as analyzers. It is important to note that the NBA sensors are in most cases available as appliances. The NBA IDPS technology offers almost the same level of security capabilities as those of the initial two. That is, it offers a wide range information gathering capabilities, which is executed by methodologies such as the NBA sensors automatically capturing the lists of all hosts in communication in a certain computer network. It can also gather information related to the usage of host ports and passive fingerprinting details. The technology also has quality-logging capabilities. In essence, the NBA solution performs an extensive logging of all the data that is related to the detected threats or events. The data fields that the wireless IDPS ensures it is logged include timestamps, channel number, source MAC address and alert type. Furthermore, the technology offers a significant number of great prevention capabilities. As grouped by the type of sensor, the following prevention capabilities are available in the NBA solution. The first one is passive only where a passive sensor can attempt to stop an existing TCP. This is to facilitate smooth prevention of any detected threat. There is also the inline prevention, which involve integration of firewall capabilities. Thirdly, it is the integration of both passive and inline prevention capabilities, which is made up of a combination of functionalities from the two ends (Scarfone & Mell, 2007). Although the Network behavior analysis offers robust security benefits, it does have considerable limitations. One of the key and most common limitations in this technology is the delay in the detection of threats or attacks. This delay is very dangerous particularly in situations where urgent response is required to secure vital data (Scarfone & Mell, 2007). Host based IDPS Another major type of an IDPS technology is the host based IDPS. This method involves monitoring of all the ongoing traffic in a particular host along with its characteristics. It entails monitoring of the key host activities such as system logs, ongoing application activities and configuration changes. It is important to note that this approach is usually deployed on those critical organization hosts. These hosts are normally of great importance and they include public servers and also servers that contain very sensitive or crucial organization data. Protection of these devices from unauthorized access acts as the building block to the achievement organizational success. The typical components applied in host based IDPS include a detection software, which is known agents. This software has to be installed on the host that is of the required security interest. The agent performs monitoring of all the activities in a particular host. Upon enabling of the IDPS capabilities, the agent goes on to performing prevention actions (Scarfone & Mell, 2007). In other host based IDPS products, dedicated appliances with pre-installed agents are used. This is different to the initial ones where the software agents are installed on individual hosts. Each of the software agents basically performs protection of either a server, a client host or an application service. It is important to outline that there is a significant number of security capabilities offered by the host based IDPS. The technology performs an extensive set of logging data that is related to the detected events. This data is always very essential in the confirmation of the validity of security alerts. The logged data include timestamp, alert type, rating and event details. It also offers high quality detection capabilities where several forms of malicious events are flowing through a network traffic. This is by the use of a combination of signature based and anomaly based detection techniques. Furthermore, host based IDPS provides a significant number of intrusion prevention capabilities. This feature is achieved through the adoption of any of the following techniques. These are file system monitoring, network traffic filtering, network traffic analysis and code analysis (Caswell, Beale & Baker, 2007). Despite of the strengths of the host based IDPS, it contains a significant of set of limitations in its day-to-day operations. These limitations comprise of delays in the generation of alerts and centralized reporting delays. There is also the limitation high usage of host resources, which lead to slowing down of the host processor speed. Another limitation is the rise of conflicts with existing security controls. In essence, the installation of the host based IDPS results into significant conflicting situations with security controls such as firewall. In some circumstances, this technology also offers significant limitations particularly by rebooting hosts. This reboot process can result into immense security threats to a particular computer network (Scarfone & Mell, 2007). It is important to outline that the following table provides a brief but well-designed analysis of the most common and commercially available Intrusion Detection and Prevention Systems (IDPS). As seen in the table, it delivers a clear comparison of the IDPS features, type and cost. IDPS Type Cost McAfee Host Intrusion Prevention Host Based IDPS $668.99 OrcaFlow Network behavior analysis $159 Cisco Security Agent Host based IDPS $60.00 QRadar Network behavior analysis $124.80 BlueSecure Wireless IDPS $799.00 Snort Network based IDPS $31.90 In general, upon a thorough analysis of the article it is clear that successful implementation of security in a computer network is highly dependent on integration of quality Intrusion Detection and Prevention Systems. The IDPS technologies are basically divided into four main types namely network based, wireless based, network behavior analysis and host based Intrusion Detection and Prevention Systems. As aforementioned earlier, the integration of these security modules into a computer network plays a huge role in promoting secure flow of data. Among the most common IDPS’s that are commercially available include Snort, BlueSecure and Cisco Security Agent. In this sense, it is hereby very important that up to date Intrusion detection systems are installed in almost all organization computer networks. The installation of high quality IDPS acts as the building block to promoting achievement of key information security goals of any organization, which are confidentiality, integrity and secure availability of resources. References Caswell, B., Beale, J., & Baker, A. (2007). Snort Intrusion Detection and Prevention Toolkit. Burlington: Elsevier. Ciampa, M. D. (2008). Security+ guide to network security fundamentals. Clifton Park, N.Y: Delmar Learning. Cisco security professionals guide to secure intrusion detection systems. (2003). Rockland, Mass: Syngress. Di, P. R., & Mancini, L. V. (2008). Intrusion detection systems. New York: Springer. Ghorbani, A., Lu, W., & Tavallaee, M. (2010). Network intrusion detection and prevention: Concepts and techniques. New York: Springer. Northcutt, S., & Novak, J. (2002). Network intrusion detection. Indianapolis, Ind: New Riders. Rash, M., & Henmi, A. (2005). Intrusion prevention and active response: Deploying network and host IPS. Rockland, Mass: Syngress Pub. Rehman, R. U. (2003). Intrusion detection systems with Snort: Advanced IDS techniques using Snort, Apache, MySQL, PHP and ACID. Upper Saddle River: Prentice Hall. Scarfone, K & Mell, P (2007). Guide to Intrusion Detection and Prevention Systems (IDPS): Recommendations of the National Institute of Standards and Technology. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf Whitman, M. E., & Mattord, H. J. (2012). Principles of information security. Boston, MA: Course Technology. Read More